I’ve setup DNS-TLS at the house so that comcast can’t see all of my DNS traffic and sell it for marketing purposes. Moreover, I’ve routed all of my sensitive traffic over my VPN so that they can’t see which IP’s I’m visiting or look at the SSL SNI information to try and gather clues that way.
I’m using my PFSense Firewall as a DNS Resolver and VPN client to route all of my DNS traffic over my VPN that terminates on a dedicated server in a Canadian datacenter. The results get tunneled back to my house via the VPN connection.
I’ll post another detailed writeup when I get some time for anyone who may be interested in doing something similar.